France Updates Rules on Processing Customer Data

In 2005, the French Data Protection Authority (CNIL) issued standard procedures for reporting if a company is engaging in automatic processing of existing and prospective customers. The procedures outline how to report if a company is using automated systems to process personal data for purposes such as contracts, deliveries, invoices, accounting, loyalty programs, prospective activities, statistics, and the like. Recently, the CNIL updated these procedures, after months of consultations. The updated procedures ("Simplified Standard No. 48") lighten the reporting burden for companies engaging in certain types of automated processing. The simplified process is not available for financial institutions, nor for insurance, health or educational companies. According to the CNIL, the new procedures were intended to take into account "new" online methods of interaction, like customer satisfaction surveys, contests and sweepstakes while maintaining the protections afforded to individuals under the French privacy laws. According to the CNIL, the new procedures can be used for the technical aspects of data management, like "de-duplication," enrichment, and normalization. The procedures include not only requirements about reporting, but also requirements for treatment of information, for example, stating that customers' personal information can be kept only as long as "strictly necessary" for the purposes of managing the customer relationship.

TIP: Companies that previously filed under the old standard may not need to re-file, but should review their practices to ensure they continue to be compliant under the new standard. If they are not yet complying with the new requirements, they will have until July 2013 to do so.